6.857 Computer and Network Security October 17, 2002Lecture Notes 12 : TCPA and PalladiumLecturer: Pato/LaMacchia Scribe: Barrows/DeNeui/Nigam/Chen/Robson/Saunders/WalshJoe Pato of Hewlett-Packard presented the Trusted Computing Platform Alliance (TCPA). BrianLaMacchia of Microsoft presented Palladium. Barrows, DeNeui, and Nigam scribed the notes onTCPA. Chen, Robson, Saunders, and Walsh scribed the notes on Palladium. Slides from bothspeakers are available on the 6.857 Web site.TCPAOutline• Why Trusted Computing Platforms• The Trusted Computing Platform Alliance• TCPA Concepts• TCPA Feature Set• Benefits of TCPA1 Why Trusted Computing PlatformsThe overall goals of a trusted computing platform are to increase business and customer confidencewith the security of a platform, to reduce business risks associated with insecurely storing data, andadditionally to protect end-user private data.A trusted computing platform should address questions such as: Can I trust a target machine tobehave in an expected manner (maybe based on past performance)? Can I have confidence ininteracting with the platform? Can I trust you (the user) to be what you say you are?A Trusted Computing Platform should:• Recognize that a platform has known properties• Identify that a system will behave as expected• Enable a user to have more confidence in the behavior of the platform in front of them0May be freely reproduced for educational or personal use.12 3 TCPA CONCEPTS• Reduce business risks by enabling trust in the behavior of critical information systems• Protect end user private data and information by enabling trust in end systems (unknown ifcurrent technology trajectory will lead to this result)2 The Trusted Computing Platform Alliance (TCPA)Doomsayers claim the TCPA is the conspiracy to prevent artistry, anonymity, or assembly. Otherswonder if TCPA is the conspiracy in prelude to the apocalypse, and wonder if this is the end of freecomputing. Some skeptics question how the TCPA will know the end has been reached and wonderif we are getting on the slippery slope to ’Big Brother’ baked into a computer. Joe Pato said thathis lecture will demonstrate that TCPA is none of these.HistoryThe TCPA is an industry group started in 1998. It was founded by Compaq, HP, IBM, Intel, andMicrosoft. Currently the group has 180 members from the hardware, software, communications,and security technology industries. The group is focused on defining and advancing the conceptof trusted computing. Competition in the security space and the need for cheap cryptographyprompted creation of this group. The companies also needed to bypass crypto export regulations,and as a result wanted to work towards this goal with other players in the field.The TCPA Charter• Provide a ubiquitous and widely adopted means to address trustworthiness of computing plat-forms• Publish an open specification for public review• Define a technology specification that can be applied to any type of computing platform3 TCPA ConceptsDefinition: A platform can be trusted if it behaves in the expected manner for the intended purpose.TCPA Technology provides the mechanisms for:• Platform authentication and attestation — is this platform actually a TCPA platform?• Platform integrity reporting — has this TCPA platform been modified in any fashion?• Protected storage — enabling secure stable storage in the presence of adversaries, architectureenables root of trust that allows third parties to rely on this trust3Figure 1: The Authenticated Boot Process (courtesy of Joe Pato, HP Labs)To achieve this, TCPA relies on the concept of a root of trust. A third party can rely on informationprovided by a platform’s root of trust. The root of trust must be able to report on software that hasbeen executed, and must be able to keep secrets from the rest of the platform. There are two rootsof trust and it is necessary to trust these roots of trust for TCPA mechanisms to be relied upon.• A root of trust for reporting — The component that can be trusted to store and report reliableinformation about the platform• A root of trust for measurement — The component that can be trusted to reliably measureand report to the root of trust for reporting what software executes on platform bootThe Trusted Platform Module (TPM)The TPM is the Root of Trust for Reporting and is uniquely bound to a single platform. TPMfunctions and storage are isolated from all other components of the platform. The TPM is tamperresistant and tamper evident. It also contains various cryptographic functions and properties includ-ing PRNG, key storage, and some cryptographic functions. However, there is no bulk cryptographybuilt into the TPM.The Core Root of Trust for Measurement (CRTM)The CRTM is the first piece of code that executes on a platform at boot time. It must be trustedto property report to the TPM what software executes after it. The CRTM reports a hash of theBIOS to the TPM, the TPM stores this, and then CRTM passes off control to the BIOS. The BIOShashes various ROMS associated (i.e. the OS Loader) with bootup, TPM securely stores this, theBIOS then loads and executes ROM procedures.Q: How does CRTM ensure that the boot is authentic?A: The CRTM builds a chain of hash codes for each portion of the boot. This chain is used toascertain exactly what software was loaded on boot, the user can then check this with pastboot chains and gauge if the boot sequence has been tampered with.4 4 THE TCPA FEATURE SET4 The TCPA Feature Set• Platform Authentication• Integrity Reporting• Protected StoragePlatform AuthenticationTCPA provides for the TPM to have control over multiple pseudonymous attestation identities. TPMattestation identities do not contain any owner or user related information. A platform identityattests to platform properties. No single TPM identity is ever used to digitally sign data, thisprovides privacy protection. A TPM identity certification is required to attest to the fact that theyidentify a genuine TCPA platform. The TPM identity creation protocol allows for the choice ofdifferent Certification Authorities (Privacy-CA) to certify each TPM identity to prevent correlationof the TPMs.Integrity ReportingTo trust that the TPM is a genuine TPM on a genuine trusted platform, the measurements reportedto the TPM during (and after) the boot process cannot be removed or deleted until reboot. Addingeach step in the boot process to the TPM hash vector
View Full Document
Unlocking...